back to article Leaked: The UK's secret blueprint with telcos for mass spying on internet, phones – and backdoors

The UK government has secretly drawn up more details of its new bulk surveillance powers – awarding itself the ability to monitor Brits' live communications, and insert encryption backdoors by the backdoor. In its draft technical capability notices paper [PDF], all communications companies – including phone networks and ISPs …

Silver badge

Heh

"as well as effectively make unbreakable encryption illegal"

Not convinced it does this, but lets pretend it does - it's a technology war they'll lose so they're welcome to go proverbially nuts.

41
1
Anonymous Coward

Re: Heh

It does not restrict the use of encryption. What it effectively prohibits is the provision of encryption by carriers. So customers just have to get their encryption from somewhere else.

This has been the position in New Zealand, for example, for some time. As a tool for nobbling local companies competing in the data security space, it'll probably work a treat. As a way of stopping the use of strong encryption, not so much.

36
0

Re: Heh

I'm not sure that they haven't already lost the technology war. See this short video about Signal at theintercept.com.

4
0
Anonymous Coward

Re: Heh

Signal, developed by Whisper Systems, is literally based in the US.

If you truly need privacy in your communications, relying on the product of any US based company is not a bright idea.

12
3

Re: Heh

Maybe, but if being based in the US is your criterion for not trusting encryption, iPhones and Android are not safe, so we may as well not even try. theintercept.com came about as a result of Glenn Greenwald publishing Edward Snowden's revelations, so they are very strong on encryption and I'm inclined to trust their recommendation of Signal.

2
0
Anonymous Coward

Yes but was it Snowden

Yes but was it Snowden that recomened Signal ( wants god access)?

2
0

Re: Yes but was it Snowden

Yes, it was Snowden's recommendation: https://whispersystems.org/

2
0
Anonymous Coward

Re: Yes but was it Snowden

Yeah, I'd need to know more about the reasoning behind his recommendation, and how resistent he feels they'd be to pressure.

1
0
Silver badge
Big Brother

"not be allowed to introduce true end-to-end encryption"

Sorry, totalitarian rulers, but unless you plan on using technical measures to physically block access to foreign (as in beyond your jurisdictional powers) VPN privacy services, what you plan to "allow" is of no consequence.

Although I fully expect that such services will in fact eventually end up being deemed "illegal", in principle, even if it's beyond their power to actually stop us using them.

0
0

Re: Heh

So by that statement, the encrypted backdoors the Gov plan to deploy should also use encryption that is breakable.

I wonder how many of these backdoors will be exploited on day zero, and who will be responsible for the cleanup ... shift the blame to telcos? Probably

1
0
Anonymous Coward

Re: Heh

I quite like the idea of outlawing encryption. It'll make DRM illegal too, won't it?

Or have I misunderstood...

1
0

Are you willing to go to jail for owning a compiler, or running Linux ? That's where this will end up...

25
2
Silver badge

Goibg to Jail?

They'd better build a wall around the Country then. Anyone who owns an Android is running the Linux kernel and as for Apple... HMG can go sing before they give up their encryption or put backdoors in their iDevices. The FBI and NSA have already hit that brickwall.

20
1
Silver badge

Re: Goibg to Jail?

The draft does not seem to say this - it seems aimed at communication carriers. On the other hand, is there anything to prevent another order, or perhaps a new law, requiring devices sold in the UK with manufacturer provided encryption be decryptable by the manufacturer, much the same as this order appears to require carriers to be able to decrypt communications encrypted by or for them?

5
0
Anonymous Coward

@Steve Davies 3 - Re: Goibg to Jail?

I'm sorry, Steve, but I have to get you down from your high horses because Android poses no problem to mass surveillance lovers. On my beautiful shiny Samsung Galaxy S6 an application I want to shutdown (because I don't use it) will always be restarted and the button to disable it is greyed out. More than that, I disabled notifications from this application and now it sends me notifications to alert me that it can't send me notifications. My wife's LG pesters her to download and install Evernote and there's no way to tell it to shove off. This is to prove that you have absolutely no control over Android, somebody else has so it can't protect you like Linux would do. Linux trusts and obeys you while Android is not, even though it runs a Linux kernel.

32
1
Silver badge

Re: @Steve Davies 3 - Goibg to Jail?

Android rooting is your friend

8
0
Anonymous Coward

Re: @Steve Davies 3 - Goibg to Jail?

Maybe you shoukd consider a technically competent choice of phone over the big brand loyalty.

I have an OP3...never get nagged for anything and can easily disable their "Oxygen" layer.

5
0
Anonymous Coward

most if not all linux's already have compromises. it aint as easy as just installing Linux

1
3
Anonymous Coward

Re: @Steve Davies 3 - Goibg to Jail?

not using Android or IOS at all is a much smarter move.

trusting a rooted android is just as stupid as trusting any mainstream OS.

except you have slightly more control, but a leaky bucket is still leaky.

2
2

Re: @Steve Davies 3 - Goibg to Jail?

can confirm.

0
0

Re: @Steve Davies 3 - Goibg to Jail?

"Android rooting is your friend"

Deliberately circumventing platform security is not your "friend" and certainly shouldn't be the expectation that users have to get the functionality they want.

Send a message with your money, people. Don't buy crap phones.

1
0

then god help those with pic programmers

1
0
Anonymous Coward

Re: @Steve Davies 3 - Goibg to Jail?

"Maybe you shoukd consider a technically competent choice of phone over the big brand loyalty."

100% agree, your problem is not with android, but with LG and Samsung. My Nexus doesn't do anything like this, runs the latest Android version and gets monthly security updates. Android isn't one thing it's thousands of things don't assume they are all the same.

1
0
Anonymous Coward

Re: Goibg to Jail?

Seems like a cunning plan to put local ISPs out of business. They will flee to overseas providers as private data gets hoovered, bank transactions get hijacked and everyone is massively defrauded. The entire UK internet user base will be transformed into low-hanging fruit if this shit ever passes.

Unless of course the HMG thought all this through carefully, just like the NSA and CIA did. Good luck with that.

0
0

Encryption is not made "illegal"

Ineffective, maybe, since the sender can't guarantee the security of their communication.

Making encryption "illegal" would mean plod knocking on your door if actually use it. Or sell it.

This proposal is bad enough. There is no need for hyperbole.

8
9
(Written by Reg staff) Silver badge

Re: Encryption is not made "illegal"

By illegal we mean it outlaws the implementation of truly secure encryption. You, as an individual, using it may not be in trouble, but you, an app developer, will be if your product doesn't obey a technical capability notice served on it (that's a backdoor with a fancy name).

C.

39
2
Anonymous Coward

Re: Encryption is not made "illegal"

you, an app developer, will be if your product doesn't obey a technical capability notice

And if the app was developed in (say) Canada but downloaded and used in the UK, who does the TCN get served on?

24
0
Anonymous Coward

Re: Encryption is not made "illegal"

The ISP from what I got from the document which means they will block them, leaving it in the best interest of app designers to put the back door in.

0
6
Silver badge

Re: Encryption is not made "illegal"

outlaws the implementation of truly secure encryption

That's the end of the economic system as we know it. Quantum key distribution is out, vpns are out, ssh is out. This will never happen.

what I got from the document which means they will block them

They can block my outbound ssh if they're willing to pay my wages until I'm 70, or they can do one. I'm happy to take this to court. If they're not blocking ssh then the law is moot.

21
1
Silver badge

Re: Encryption is not made "illegal"

If I understand it correctly, any developer who offers an encrypted app or service and is served a notice has 24 hours to decrypt the data they have on someone and hand it over or they are breaking the law.

This is does not allow for e2e encryption. Despite MPs saying it wasn't banned, it was banned.

Has their braindead legislation just made hashed and salted passwords illegal?

Maybe the future for apps is a plugin architecture and open source e2e plugins on github, similar to PGP encrypting email messages despite SMTP knowing nothing about how that's done.

19
1

Re: Encryption is not made "illegal"

> but you, an app developer, will be [in trouble]

Is that correct? From the PDF, "A technical capability notice imposes obligations on a telecommunications operator or postal operator in order to", implies that this could not be applied to an app developer per se, although it could be applied to an app delivered by a telco or postal operator.

There may be more to read in the full act et al, but I didn't see anything applying to individuals. Although that could be the next logical step.

Regardless of the scope though, this proposal does appear to place an obligation on telcos etc to undermine the fundamental security of the communication systems they provide in a manner that can eventually be subverted by ne'er-do-wells. I did particularly like the obligation to design for the hacking of any supplied equipment, "1. To provide and maintain the capability for interference with equipment to be carried out, for the purpose of obtaining communications, equipment data or any other information ..."

12
0
Silver badge

Re: Encryption is not made "illegal"

"14. To consider the obligations and requirements imposed by any technical capability notice when designing or developing new telecommunications services or telecommunication systems."

That there looks like banning e2e encryption and building in realtime monitoring.

7
1
Silver badge

Re: Encryption is not made "illegal"

"you, an app developer, will be"

It's vague, but the legislation reads very much as if app developers aren't included because they don't provide end points. The same wording was used in previous legislation that never covered apps. However an enterprising policeman might argue that Skype, for example, is a communication provider.

3
0
Silver badge

Re: Encryption is not made "illegal"

I missed that when I read the document. A clarifying reference would be helpful in understanding this claim.

1
0
Silver badge

Re: Encryption is not made "illegal"

Err... no, it just doesn't. Look at the language again:

to disclose, where practicable, the content of communications...

to remove electronic protection applied by or on behalf of the telecommunications operator

There's nothing there that prevents you from having all the encryption you like. You just can't get it from a "telecommunications operator". At least, not a UK one.

6
0
Silver badge

Re: Encryption is not made "illegal"

He doesn't need to argue, Skype etc... already are covered:

A telecommunication service is defined at Clause 223(13) as ‘a system that exists for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy’.

Privacy International

1
0

Re: Encryption is not made "illegal"

You are taking the Lewis Carroll defence:

“When I use a word,’ Humpty Dumpty said in rather a scornful tone, ‘it means just what I choose it to mean — neither more nor less.’

1) encryption hasn't been made illegal, and 2) back doors are nothing new.

1
0

Re: Encryption is not made "illegal"

If my Auntie had balls she'd be my Uncle.

"Looks like" doesn't cut it. Encryption has not been banned in the UK. The UK has reserved the right to punch a hole in it whenever it wants to, and it will probably be unsuccessful.

This is a disturbing development, but not a surprising one.

1
1
Silver badge

Re: Encryption is not made "illegal"

If you're developer in the UK making something that can be considered a telecoms app or service, you need to avoid e2e encryption and build in realtime monitoring otherwise, if you are told to give up data on someone, you won't be able to respond in 24 hours with the data they ask for and therefore you will have broken the law.

They even tell you to consider this law when designing your app or service.

But no, there's no "we ban e2e encryption" clause. Why would there need to be if you end up in a whole heap of trouble anyway?

5
0
Anonymous Coward

Re: Encryption is not made "illegal"

And thus anything "over the top" can be argued not to be a "telecommunication service".

VPN - that runs "over the top" of TCP/IP. PGP messages can't transmit themselves.

1
0

This post has been deleted by its author

Anonymous Coward

Re: Encryption is not made "illegal"

if you even slightly care about privacy, you won't be using skype.

2
1
Anonymous Coward

Re: Encryption is not made "illegal"

"And if the app was developed in (say) Canada but downloaded and used in the UK, who does the TCN get served on?"

everyone.

0
0

Re: Encryption is not made "illegal"

TCP runs over the top of IP ... IP (typically in the U.K.) runs over the top of MPLS etc ... so where the line gets drawn will be up to judges.

1
0

Re: Encryption is not made "illegal"

Again, it's the over the top services that will be the "fun".

MPLS/BGP/TCP et al can be inspected, as it's a known protocol. If the packet's going up/down said wires turn out to contain encrypted stuff, that's WAY beyond the OpCo's wires, and the Telco's will simply go "meh" as it's not in their domain to control, unless they start doing DPI and being ordered to block anything they can't decode.

In which case we'll see digital steganography of another kind. Stuff will look like/be valid traffic, and just be nonsense, with anything relevant buried in some way that'll be harder to spot.

1
0
Anonymous Coward

Re: Encryption is not made "illegal"

"To provide and maintain the capability for interference with equipment"

Another reason Reason NOT to use the ISP supplied Router

1
0

Re: Encryption is not made "illegal"

That's a horrible piece of English. Could argue this only covers electrical and electronic hardware? Skype is facilitated by using a system based on these, but could just as well use Naval Flags or the CLACKS to transmit, but does not actually directly "facilitate the transmission of communications by any means involving the use of electrical or electromagnetic energy".

Several hundred million in legal fees later...

1
0
Anonymous Coward

Re: Encryption is not made "illegal"

A telecommunication service is defined at Clause 223(13) as ‘a system that exists for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy’.

Interesting. Returning to pneumatic tube technology may be worthwhile after all. As long as it's pumped by hand.

2
1

Re: Encryption is not made "illegal"

"They" can't serve a technical capability notice on an app developer - only on telcos.

1
0
Silver badge

Re: Encryption is not made "illegal"

Not pneumatic tube. Carrier pigeon. It's been in the wild for over a quarter century. I've seen it in action, and it works nicely for small messages. See: RFC 1149

3
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017